C.3.1.3 - Security management

Security Management involves the physical protection of an organization’s personnel, assets, and facilities (including security clearance management).

Impacts to some information and information systems associated with security management may affect the security of some critical infrastructure elements and key national assets (e.g., nuclear power plants, dams, and 61 other government facilities). Impact levels associated with security information directly relate to the potential threat to human life associated with the asset(s) being protected (e.g., consequences to the public of terrorist access to dams or nuclear power plants). The following recommended categorization of the security management information type is subject to change where critical infrastructure elements or key national assets are involved:

Security category

C.3.1.3 - Security management = {(confidentiality, Moderate), (integrity, Moderate), (availability, Low)}

Confidentiality Moderate

The confidentiality impact level is the effect of unauthorized disclosure of security management

Integrity Moderate

The integrity impact level is based on the specific mission and the data supporting that mission, not on the time required to detect the modification or destruction of information. The consequences of unauthorized modification or destruction of security management information may depend on the urgency with which the information is needed or the immediacy with which the information is used. In cases of intrusion indications, security management information can be time-critical. The consequences of unauthorized modification or destruction of time-critical security management information can reasonably be expected to result in physical security vulnerabilities. The range of potential consequences is covered above in Confidentiality. Recommended Integrity Impact Level: The provisional integrity impact level recommended for most security management information is moderate.

Availability Low

The availability impact level is based on the specific mission and the data supporting that mission, not on the time required to re-establish access to the security management information. Functions supported by most security management information are tolerant of delays. Typically, disruption of access to security management information will have a limited adverse effect on agency operations (including mission functions and public confidence in the agency), agency assets, or individuals. Special Factors Affecting Availability Impact Determination: Exceptions may include alarm and alert communications and interconnections for security management systems and automated control systems that support security management processes (e.g., door and gate operations in buildings to which access is limited such as detention facilities and many Federal office buildings For these exceptions, the data is time-critical. The availability impact level associated with unauthorized modification or destruction of such alarm, alert, and automated process security management information may be high. Recommended Availability Impact Level: The provisional availability impact level recommended for security management information is low